What is the CVSS score of CVE-2026-42088?

CVE-2026-42088 has a CVSS 3.1 base score of 9.6 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of OpenC3 COSMOS are affected by CVE-2026-42088?

OpenC3 COSMOS versions before 7.0.0 allow authenticated users to escalate privileges and bypass API authorization through the Script Runner widget, gaining direct access to Redis databases and MinIO…. A patch is available.

How to fix or mitigate CVE-2026-42088?

Within 24 hours: Identify all OpenC3 COSMOS deployments and document current versions. Within 7 days: Upgrade all instances to version 7.0.0 or later; verify upgrade completion and test Script Runner functionality. Within 30 days: Audit logs for unauthorized Script Runner executions, rotate all secrets stored in Redis/MinIO, review IAM policies to restrict low-privileged user access to Script Runner widget, and implement network segmentation to isolate container-to-container communication.

OpenC3 COSMOS CVE-2026-42088

EUVD-2026-27065 CRITICAL

Execution with Unnecessary Privileges (CWE-250)

2026-05-04 GitHub_M

Privilege Escalation Python Docker Redis

9.6

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Patch available

May 04, 2026 - 19:17 EUVD

Source Code Evidence Fetched

May 04, 2026 - 18:02 vuln.today

Analysis Generated

May 04, 2026 - 18:02 vuln.today

Analysis Generated

May 04, 2026 - 17:45 vuln.today

CVE Published

May 04, 2026 - 17:21 nvd

CRITICAL 9.6

DescriptionNVD

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0-rc3, the Script Runner widget allows users to execute Python and Ruby scripts directly from the openc3-COSMOS-script-runner-api container. Because all the docker containers share a network, users can execute specially crafted scripts to bypass the API permissions check and perform administrative actions, including reading and modifying data inside the Redis database, which can be used to read secrets and change COSMOS settings, as well as read and write to the buckets service, which holds configuration, log, and plugin files. These actions are normally only available from the Admin Console or with administrative privileges. Any user with permission to create and run scripts can connect to any service in the docker network. This issue has been patched in version 7.0.0-rc3.

AnalysisAI

Privilege escalation in OpenC3 COSMOS allows low-privileged authenticated users to bypass API authorization and perform administrative actions by executing crafted Python or Ruby scripts via the Script Runner widget. Attackers can directly access Redis database (exposing secrets and configuration settings) and the MinIO buckets service (containing logs, configs, and plugins) due to unrestricted container-to-container network access in the Docker deployment. …

RemediationAI

Within 24 hours: Identify all OpenC3 COSMOS deployments and document current versions. Within 7 days: Upgrade all instances to version 7.0.0 or later; verify upgrade completion and test Script Runner functionality. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-42088 vulnerability details – vuln.today

Back